密码学代写 | CP3404 Assignment 2

本次澳洲CS代写主要是密码学相关的作业

CP3404 Assignment 2

SP21, Brisbane (2021)

Due by Friday April 30, 2021 (no later than 5:00pm)

Aim: This assignment is designed to help you improve your critical thinking and problem solving skills, as well as your information literacy skills (i.e. the ability to select and organise information and to communicate it effectively and ethically).

Requirements, Method of Submission, and Marking Criteria:

[4 marks]

In a strange twist of fate, the company hit with this attack dragged not a hacker, but another company, an ISP, and five of its customers into court. The ISP claimed to be the victim not the perpetrator of the attacks and therefore not liable.The Suit was referred to a U.S. District Court, but never made it to trial. C.I. Host’s attorneys convinced a judge to issue a restraining order shutting down three of the ISP’s Web servers until the ISP could prove that the vulnerabilities had been rectified. The attacks lasted a few days; to resolve the issue, the lawsuit took over seven months, and several hundreds of thousands of dollars in legal fees, time, and effort.

The question is, when information security fails, who’s to blame? Or in the court’s eyes, who’s liable? Even though the hacker is the culprit, with the standards of due care and due diligence, the companies

1Adapted from Whitman and Mattord’s book, which in turn adapted from S. Scalet’s article, CIO Magazine, November 1. 2001. 1

that are being hacked and then used in other attacks are becoming increasingly liable for damage to other companies.

”It’s not a ’sky is falling’ issue,” says one CIO when asked about likelihood of such lawsuits. ”This is what an intelligent, forward-thinking company is thinking about. We believe that we’ve taken every possible precaution, and we’re looking at every possible thing on the horizon.”

The lawmakers are paying attention as well. A new bill is being drafted in the U.S. Senate that could exempt businesses from the Freedom of Information Act (FOIA), in order to protect businesses from being required to disclose the results of attacks and their information security protection strategies. Another bill in the House, would prohibit the use of voluntarily provided information from being used in a lawsuit in information security related cases.

Although no direct liability lawsuits have been tried yet, it’s just a matter of time. What can companies do? ”The best defense for the impending legal hassle is a much-advised, often-ignored list of best practices. The question is whether the gathering clouds will have the proverbial silver lining and generate an incentive for companies to act on security best practices. In the process of doing so, they just might prevent hackers from doing damage in the first place.” ”There’s always going to be that rare group of people who want to take advantage of the system,” says Bette Walker, CIO of Energy and Chassis Systems for Delphi Automotive Systems in Flint, Michigan.

”Security can become a legal problem, I think of it first as preventing a problem from occurring. Then the next step, I don’t have to worry about.”

(a) How can standards of due care and due diligence protect a company from being used in this type of situation?

(b) Why would a company want to go after an ISP in a situation like this, wjhen clearly the ISP is a victim as much as the attacked organization?

[4 marks]

3. Cryptanalysis of a Polyalphabetic Cipher:
In this question you learn a classical polyalphabetic substitution cipher (known as Vigen ́ere cipher), and are required to cryptanalysis a given cryptogram.

Cryptanalysis of an information system is the study of mathematical techniques for attempting to defeat information security services. A cryptographic system is said to be breakable if a third party (i.e., crypt- analyst), without prior knowledge of the key, can systematically recover plaintext from corresponding ciphertext within an appropriate time frame.

Background

Julius Caesar used a cipher which moved each letter of the alphabet to the letter three to the left in the predetermined order of the letters of the alphabet. Figure 1 shows original English alphabet and corresponding cryptogram alphabet in Caesar cipher:

abcdefghijklmnopqrstuvwxyz defghijklmnopqrstuvwxyzabc

Figure 1: English alphabet letter and their corresponding cryptograms in the Caesar cipher

In order to use mathematical notations, let convert letters of the alphabet to integers. The most natural conversion is to assign to each letter an integer which indicates the position of the letter in the alphabet. That is, assign 0,1,···,24,25 to a,b,···,y,z, respectively. Using this conversion, Caesar cipher can be expressed as:

C=Ek(M)=M+3 (mod26) 2

where ‘C’ is the cryptogram, ‘E’ is the encryption algorithm, ‘k’ is the key, ‘M’ is the message/plaintext (one may replace integer 3 by letter ‘d’).

Caesar cipher is from the family of shift ciphers, in which the cryptogram is a shifted version of the original alphabet. Cryptanalysis of the Caesar (and all shift ciphers) is easy, because there are 26 possible keys/shift.

Vigen ́ere Cipher

In Vigen ́ere cipher the key is more than one letter. That is, Vigen ́ere cipher can be considered as a combination of n shift ciphers, where n is the key-length (i.e., the number of letters in the keyword). Let the message/plaintext be ‘individual character’ and the keyword is ‘host’. Vigen ́ere cipher encrypts the message as follows:

Plaintext individualcharacter Keyword hosthosthosthosthos Cryptogram pbvbcwvnhzuahfsvasj

That is, the first four letters of cryptogram computed as:

‘i’+‘h’ =8+7 ‘n’+‘o’ =13+14 ‘d’+‘s’ =3+18 ‘i’ + ‘t’ = 8 + 19

= 15 (mod 26) i.e., p =1(mod26) i.e.,b =21(mod26) i.e.,v = 1 (mod 26) i.e., b

Since the plaintext is longer than the keyword, keyword is repeated till all letters of the plaintext are encrypted. As it can be seen, a particular letter of the plaintext may be encrypted with different letters from the keyword. For example, the first occurrence of letter ‘i’ from the plaintext is encrypted with ‘h’, where its second and third occurrences are encrypted with letters ‘t’, and ‘o’ respectively. That is, Vigen ́ere cipher is a polyalphabetic substitution cipher.

To break a polyalphabetic substitution cipher, the cryptanalyst must first determine the key-length of the cipher. This can be done using Kassiski method. The Kassiski method uses repetitions of patterns in the ciphertext in order to get a good guess about the keylength. For example, suppose the plaintext ‘to be or not to be’ has been enciphered using the key ‘now’, producing the ciphertext below:

Plaintext tobeornottobe Keyword nownownownown Cryptogram gcxrcnacpgcxr

Inthiscryptogram(i.e.,gcxr cnacpgcxr)arepeatedpatternisgcxr,wherethedistance between these repetitions (i.e., the number of characters from the first letter of the pattern in its first occurrence to the first letter of its second occurrence) is 9. This could be the sign in which the same letters from plaintext is encrypted with the same letters from the keyword. Since in Vigen ́ere cipher the keyword is repeated, the key-length is probably 9 or a divisor of 9 (i.e., 3, because 9 has no other divisor). Assuming that the key length is 3, we split the cryptogram into three cryptogram. That is, the 1st, 4th, 7th, … characters of the cryptogram are the result of encrypting the 1st, 4th, 7th, … characters of the plaintext with the first letter of the keyword (in other word, they are shifted with the same number, as in the Caesar cipher). Similarly, the 2nd, 5th, 8th, … characters are the result of encrypting the corre- sponding letters in the plainteext with the second letter of the key. and the same for the third file. That is, this Vigen ́ere cipher is a combination of 3 Caesar ciphers, where the cryptogram of each Caesar cipher is given as below:

Cryptogram 1: g r a g r
Cryptogram 2: c c c c
Cryptogram 3: x n p r
In order to break each of these Caesar ciphers, we use the letter frequency in the English text. As it is

Figure 2: Letter frequency in English texts shown in Figure 2, ’e’ is the most common letter in English texts. That is:

In Cryptogram 1, we can guess that either ’g’ or ’r’ could be the corresponding letter to ’e’ in the plaintext. If ’g’ corresponds to ’e’, then the first letter of the key should be ′g′ −′ e′ = 6 − 4 = 2, which is ’c’.
If ’r’ corresponds to ’e’, then the first letter of the key should be ′r′ −′ e′ = 17 − 4 = 13, which is ’n’.

In Cryptogram 2, we can guess that ’c’ is the corresponding letter to ’e’ in the plaintext.
If ’g’ corresponds to ’e’, then the first letter of the key should be ′c′ −′ e′ = 2 − 4 = −2 = 24 (calculation mod 26), which is ’y’.

In Cryptogram 3, each character is appeared only once, and thus letter frequency does not work.

Remark: This example is just to show the mechanism of the Kassiscy attack. This attack is very effective for large cryptograms (e.g., in the size of cryptograms given in this assignment).

Your Task:

In the following you can find 10 cryptograms, that are created by Vigen ́ere cipher, where the plaintext is English text and the keyword is a meaningful English word. You are required to decipher the cryptogram that matches with your Student-ID.

[12 marks]

Cryptogram for whom their Student-ID is XXXXXXX0

Cryptogram for whom their Student-ID is XXXXXXX1

Cryptogram for whom their Student-ID is XXXXXXX2

Cryptogram for whom their Student-ID is XXXXXXX3

Cryptogram for whom their Student-ID is XXXXXXX4

Cryptogram for whom their Student-ID is XXXXXXX5

Cryptogram for whom their Student-ID is XXXXXXX6

Cryptogram for whom their Student-ID is XXXXXXX7

Cryptogram for whom their Student-ID is XXXXXXX8

Cryptogram for whom their Student-ID is XXXXXXX9

Rubric for Questions 1 and 2

Exemplary Good Satisfactory Limited Very Limited (9, 10) (7, 8) (5, 6) (2, 3, 4) (0, 1)

Title 10%

– Informative and summative in an excellent way
– Contains most keywords – Intriguing and thought- provoking in an excellent way

Exhibits aspects of exemplary (left) and satisfactory (right)

– Too long or too short
– Partially informative or summative
– Partially intriguing and thought-provoking

Exhibits aspects of satisfactory (left) and very limited (right)

– Too long or too short
– Hardly informative or summative

– Contains no keyword
– Hardly intriguing and thought- provoking

Structure 20%

– Highly appropriate structure and professional format, according to the genre/text type and task requirements, including clear attention to word length limit, and effective use of sections, paragraphs and/or links

– Largely appropriate structure and format, according to the genre/text type and task requirements, including attention to word length limit, and use of sections, paragraphs and/or links

– Inappropriate structure and format, according to the genre/text type and task requirements, with no/limited attention to word length limit, and use of sections, paragraphs and/or links

Content 40%

– Identifies, explains and prioritises key issues in a complex IT related situations, drawing upon relevant theory and real or hypothetical examples.

– Demonstrates clear mastery of the material in the topic area, and shows excellent ability to synthesise and abstract knowledge

– Identifies and explains key issues in a routine IT related situations.
– Demonstrates moderate mastery of the material in the topic area, and shows moderate ability to synthesise and abstract knowledge

– Demonstrates little mastery of the material in the topic area, and shows no ability to synthesise and abstract knowledge

Readability 20%

– Excellent progression of topics
– A highly conventional academic writing style, including the use of appropriate terminology and unbiased language

– Satisfactory progression of topics
– A largely conventional academic writing style, including the use of appropriate terminology and unbiased language

– Unsatisfactory progression of topics
– Unclear explanation for all concepts

Referencing 10%

– Adheres to IEEE/APA/Harvard referencing conventions in in-text citation, presentation of tables/figures and reference list, with next-to- no errors

– Mostly adheres to IEEE/APA/Harvard referencing conventions in in-text citation, presentation of tables/figures and reference list, with some errors

– No referencing or very limited use of references

Rubric for Question 3:

founded in the previous step (highlight the patters in the text/cryptogram).

distances you computed in the previous step.

length computed in the previous step.

letter of the keyword (i.e., applying letter frequency).

plaintext.

Not that determination of the keyword/plaintext from incorrect results in previous steps is not acceptable.